11 ways you can avoid IoT threats

February 2017

The internet of things promises amazing possibilities. It also threatens chaos if security isn't taken seriously. Thomas McGrath considers how we can ensure we stay safe and still enjoy the new technology’s benefits.

If you were selling smart home lighting systems just a few summers ago, you would recall how enthralled and transfixed your clients would get, knowing about its astonishing features and the swag tag that went along with it. And if you told them that they could zap their lights on or off at home simply by using their smartphones even when dog sledding on a snow tour in Norway, they would probably look at you quirkily with quiet disbelief, smirking and thinking it to be your flight of fantasy.

Jump to the present. On this very day, as you read on, close to 5.5 million smart devices across the world have connected and are talking to each other over the internet. This is the present size of this exploding, gargantuan universe of the internet of things (IoT). While all this suggests that the line of distinction between science fiction and reality is increasingly blurring, it also throws light on the risk associated with staying in the fast lane of technology.

The figure of over 1 million malware attacks reported on a daily basis leaves us without an 'IoT'a of doubt that this threat is real and looming large.

Right from kettles and Pan-Tilt-Zoom cameras to pacemakers, and even power grids and dams have seen attempts at being hacked and attacked. Security threats of this nature can snowball easily, with vulnerabilities found in one device cascading into others.

What causes vulnerabilities?

According to Bruce Schneier, Chief Technology Officer at Resilient, risks from IoT devices emerge due to three things: software control (whether a device supports software updates), interconnections between systems (eg a Gmail account getting compromised due to vulnerabilities in a Samsung smart refrigerator), and the autonomy that a device is endowed with (eg computers that are capable of firing or cooling down furnaces through an automated program, or driverless cars that are capable of independently navigating their way around traffic). Here's a list you can't afford to ignore:

Outlook towards security: For a few technology companies of today, and most of yesteryears, unfortunately security has taken a back seat. Instead, they have focused on product innovation and features, perhaps without taking cognizance of the grave importance that security has today.

Lack of awareness of the network constituents: A smart device that is connected to a network represents just one piece in a jigsaw of myriad interconnected devices. And if it carries vulnerability, it automatically puts the others at risk. Not knowing what's on the network is akin to running a poultry farm without keeping count of stock and without conducting any screening test for bird flu.

Using outdated protocols: Devices that may be running on old protocols like the Session Initiation Protocol (SIP) serve as sitting targets for easy intrusion and hacking.

Systems that have no provision for updates: Previous generation devices, or even latest smart deviceswithout any provision for software updates are the weakest smart devices that are vulnerable to incursions. Cars, refrigerators and thermostats for example have a low replacement rate in society, leaving manufacturing companies bereft of any financial motive in providing ongoing software support.

Systems that enjoy autonomy: Devices that have minimal human intervention have a downside in them being easy targets for attackers.

Devices without encryption: Even if a smart device has no basic level of encryption, it becomes an open invitation for malevolent hackers to gain entry into the network.

Systems with known vulnerabilities: Systems such as the Samsung SmartThings smart home platform for example have been reported to have known vulnerabilities that are easily pregnable. It would be a great cause for worry if these devices do not get the necessary patches before a zero day exploitation occurs.

Overwhelming volumes of data: A Federal Trade Commission report states that it takes less than 10,000 smart households to generate more than 150 million discrete data points each day. With data reaching such humungous proportions, the need of the hour is to plug all possible entry points into sensitive personal information that can fall into the hands of perpetrators.

Unauthorized circulation of data: There are instances where data that we may allow one entity to gather from us, gets intentionally accessed by another for reasons legitimate or otherwise. To illustrate, an insurance company may use information from your wearable fitness device to calculate the health insurance premium that you need to pay.

Breach of privacy: Some devious manufacturers or hackers may stealthily track you through smart devices that you may unsuspectingly be using.

While these factors are enough for us to lose sleep over the security positions of our devices and networks, thankfully, there are measures that can give us a fair amount, if not total immunity against IoT attacks. Let’s look at some of these.

11 assuring ways to circumvent IoT threats

Be aware of what's on your network: Know your smart devices and also ascertain their security positions. As far as possible, refrain from using the ones that carry inherent vulnerabilities.

Patch and secure all devices: Update all firmware on your devices. Through Microsoft SCCM, you can use an application such as 1E's Nomad to safely distribute enterprise approved software and patches using a P2P approach across thousands of employees across geographies. It would also help to provide a unique identity key to each device that talks to your IoT hub to ensure authentication. You may choose to contact your manufacturer for providing a security certificate for your device.

Use a secure connection: Make sure your internet connection is adequately secure.

Be conscious of cloud security: Clamp your data in an armour of security as it moves to and from the cloud.

Initiate penetration tests: One of the best ways that determine if your devices and networks can fend off a possible attack is to routinely conduct penetration tests to simulate a scenario and assess the outcome.

Insist on data encryption: Raise consciousness about data security within the organization.

Protect your network: Strength your IT policies and deploy the technology needed to neutralize any possible attack on your network.

Erect firewalls: CCTV cameras and business systems need to be flanked by secure firewalls at all times.

Disable Universal Plug and Play: Turning off the universal plug and play feature on your routers and smart devices connected to the network can thwart a possible attack.

One password for one device: Do not use the same password for more than one device to avoid any domino effect on your network in the event of an attack.

Create a 'guest' network to protect the 'home': If you simply must use devices with known vulnerabilities, create a guest network first and have them connected to that. That way, even if they fall prey to an attack, the guest network would remain quarantined and detached from the home network.

As time and technologies advance, the security positions, challenges and remediation measures would get remodelled. Be prepared to ride the char'IoTs' of fire.

About the author

Thomas McGrath is a journalist and film maker, and works as a technical writer at 1E. He has written for the likes of Telecoms.com, Digital TV Europe and Business Cloud News, among others, covering topics such as apps, the Internet of Things and TV. He has also written plenty of non-techy stuff for the likes of Dangerous Minds, VICE and Headpress. He lives in London with his wife, son and cat.

Comments (2)

Security of something like the IoT requires a holistic view. It's not just about risks *from* IoT such as encryption, privacy and vulnerabilities. The great looming risk *to* M2M/IoT relates to availability (and therefore to some extent also *from*).

This is a common mistake, e.g.: Sicari et al, 'Security, privacy and trust in Internet of Things: The road ahead' (2015). Schneier has been guilty of this in the past though more recently he's started to talk about the "A" in "CIA", e.g.: http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html.

Need an example? The 2G sunset. Millions upon millions of devices are going to stop working and require total or component replacement - vehicle/insurance trackers, smart meters, smart home hubs, offender management tags, child tracking bracelets, building alarms, pet and livestock tags/collars, ...

If you want connected products (which become infrastructure over time) you need to consider risks and dependencies decades ahead with as complete a framework as is possible.

Report Comment

Reason for reportFurther comments

2

Bob H wrote on 27th Feb 2017

Very Interesting and a good indication of what one needs to do. I do however fear for individuals and small business that do not have the knowledge or the resources to manage the type of security that is needed in this day and age. For a small business the cost of IT and all the associated security is potentially a major overhead that they can ill afford or even appreciate that they need. Individuals and small businesses need cost effective help and reliable secure devices that can be maintained as technology advances.